SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 84

changes.mady.by.user Robert Seacord

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: REM Cost Reform

When developing new code, declare functions that return errno with a return type of errno_tMany existing functions that return errno are declared as returning a value of type int. It is semantically unclear by inspecting the function declaration or prototype if these functions return an error status or a value or, worse, some combination of the two. (See ERR02-C. Avoid in-band error indicators.)

C11 Annex K  introduced the new type errno_t that is defined to be type int in errno.h and elsewhere. Many of the functions defined in C11 Annex K return values of this type [ISO/IEC 9899:2011]. The errno_t type should be used as the type of an object that may contain only values that might be found in errno. For example, a function that returns the value of errno should be declared as having the return type errno_t.

This recommendation depends on C11 Annex K being implemented and advocates using errno_t in new code where appropriate.   The following code can be added to remove this dependency:


 

Code Block
languagecpp
#ifndef __STDC_LIB_EXT1__
  typedef int errno_t;
#endif

 


Noncompliant Code Example

...

This noncompliant code example nevertheless complies with ERR30-C. Set errno to zero before calling a library function known to set errno, and check errno only after the function returns a value indicating failureTake care when reading errno.

Compliant Solution (POSIX)

...

Code Block
bgColor#ccccff
langc
#define __STDC_WANT_LIB_EXT1__ 1
 
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
    
enum { NO_FILE_POS_VALUES = 3 };

errno_t opener(
  FILE *file,
  size_t *width,
  size_t *height,
  size_t *data_offset
) {
  size_t file_w;
  size_t file_h;
  size_t file_o;
  fpos_t offset;

  if (NULL == file) { return EINVAL; }
  errno = 0;
  if (fgetpos(file, &offset) != 0 ) { return errno; }
  if (fscanf(file, "%zu %zu %zu", &file_w, &file_h, &file_o)
        != NO_FILE_POS_VALUES) {
    return EIO;
  }

  errno = 0;
  if (fsetpos(file, &offset) != 0 ) { return errno; }

  if (width != NULL) { *width = file_w; }
  if (height != NULL) { *height = file_h; }
  if (data_offset != NULL) { *data_offset = file_o; }

  return 0;
}

This compliant solution is categorized as a POSIX solution because it returns EINVAL and EIO , which are defined by POSIX (IEEE Std 1003.1, 2013 Edition) but not by the C Standard.

...

Failing to test for error conditions can lead to vulnerabilities of varying severity. Declaring functions that return an errno with a return type of errno_t will not eliminate this problem but may reduce errors caused by programmers' misunderstanding the purpose of a return value.

Recommendation

Severity

Likelihood

Detectable

Remediation Cost

Repairable

Priority

Level

DCL09-C

Low

low

Unlikely

unlikely

No

low

Yes

P3

P2

L3

Automated Detection

Tool

Version

Checker

Description

Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-DCL09
LDRA tool suite
 
Include Page
LDRA_V
LDRA_V
634 SPartially Implemented

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

SEI CERT C++
Secure
Coding StandardVOID DCL09-CPP. Declare functions that return errno with a return type of errno_t
ISO/IEC
9899:2011K.3.2 "Errors <errno.h>"ISO/IEC
TR 24772:2013Ignored Error Status and Unhandled Exceptions [OYB]
MISRA C:2012Directive 1.1 (required)

Bibliography

[Open Group 2004]

...

Bibliography

[IEEE Std 1003.1:2013]


...

Image Modified Image Modified Image Modified